diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2021-05-24 11:28:47 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2021-05-24 11:28:47 (GMT) |
commit | b3000495c05ff40d848f6357974cd4d5294a66c2 (patch) | |
tree | 7758191e24ea262b82029c0270e80ab6bfbde1a1 /src/analysis | |
parent | 73a09734a145722a3bd6199750fad62b46dd9339 (diff) |
Handle errors with more care when creating certificates.
Diffstat (limited to 'src/analysis')
-rw-r--r-- | src/analysis/db/certs.c | 96 |
1 files changed, 58 insertions, 38 deletions
diff --git a/src/analysis/db/certs.c b/src/analysis/db/certs.c index dabc127..11d12fd 100644 --- a/src/analysis/db/certs.c +++ b/src/analysis/db/certs.c @@ -255,6 +255,7 @@ static RSA *generate_rsa_key(unsigned int bits, unsigned long e) bool build_keys_and_ca(const char *dir, const char *label, unsigned long valid, const x509_entries *entries) { + bool result; /* Bilan à retourner */ RSA *rsa; /* Clef RSA pour le certificat */ EVP_PKEY *pk; /* Enveloppe pour clef publique*/ int ret; /* Bilan d'un appel */ @@ -263,20 +264,30 @@ bool build_keys_and_ca(const char *dir, const char *label, unsigned long valid, char *filename; /* Chemin d'accès à un fichier */ FILE *stream; /* Flux ouvert en écriture */ + result = false; + rsa = generate_rsa_key(4096, 17); if (rsa == NULL) goto rsa_failed; pk = EVP_PKEY_new(); - if (pk == NULL) goto pk_failed; + if (pk == NULL) + { + RSA_free(rsa); + goto pk_failed; + } ret = EVP_PKEY_assign_RSA(pk, rsa); - if (ret != 1) goto asign_failed; + if (ret != 1) + { + RSA_free(rsa); + goto asign_failed; + } x509 = X509_new(); if (x509 == NULL) goto x509_failed; ret = X509_set_pubkey(x509, pk); - if (ret != 1) goto ca_failed; + if (ret != 1) goto ca_asign_failed; ret = X509_set_version(x509, 2); if (ret != 1) goto ca_failed; @@ -344,7 +355,11 @@ bool build_keys_and_ca(const char *dir, const char *label, unsigned long valid, asprintf(&filename, "%s%c%s-key.pem", dir, G_DIR_SEPARATOR, label); stream = fopen(filename, "wb"); - if (stream == NULL) goto ca_failed; + if (stream == NULL) + { + free(filename); + goto ca_failed; + } ret = PEM_write_PrivateKey(stream, pk, NULL, NULL, 0, NULL, NULL); @@ -361,7 +376,11 @@ bool build_keys_and_ca(const char *dir, const char *label, unsigned long valid, asprintf(&filename, "%s%c%s-cert.pem", dir, G_DIR_SEPARATOR, label); stream = fopen(filename, "wb"); - if (stream == NULL) goto ca_failed; + if (stream == NULL) + { + free(filename); + goto ca_failed; + } ret = PEM_write_X509(stream, x509); @@ -375,34 +394,24 @@ bool build_keys_and_ca(const char *dir, const char *label, unsigned long valid, if (ret != 1) goto ca_failed; - /* Libérations finales */ - - X509_free(x509); - EVP_PKEY_free(pk); + result = true; - return true; + /* Libérations finales */ ca_failed: + ca_asign_failed: X509_free(x509); x509_failed: - - EVP_PKEY_free(pk); - - return false; - asign_failed: EVP_PKEY_free(pk); pk_failed: - - RSA_free(rsa); - rsa_failed: - return false; + return result; } @@ -458,6 +467,7 @@ static bool add_extension_to_req(STACK_OF(X509_EXTENSION) *sk, int nid, /*const bool build_keys_and_request(const char *dir, const char *label, const x509_entries *entries) { + bool result; /* Bilan à retourner */ RSA *rsa; /* Clef RSA pour le certificat */ EVP_PKEY *pk; /* Enveloppe pour clef publique*/ int ret; /* Bilan d'un appel */ @@ -467,20 +477,30 @@ bool build_keys_and_request(const char *dir, const char *label, const x509_entri char *filename; /* Chemin d'accès à un fichier */ FILE *stream; /* Flux ouvert en écriture */ + result = false; + rsa = generate_rsa_key(2048, 17); if (rsa == NULL) goto rsa_failed; pk = EVP_PKEY_new(); - if (pk == NULL) goto pk_failed; + if (pk == NULL) + { + RSA_free(rsa); + goto pk_failed; + } ret = EVP_PKEY_assign_RSA(pk, rsa); - if (ret != 1) goto asign_failed; + if (ret != 1) + { + RSA_free(rsa); + goto asign_failed; + } x509 = X509_REQ_new(); if (x509 == NULL) goto x509_failed; ret = X509_REQ_set_pubkey(x509, pk); - if (ret != 1) goto asign_failed; + if (ret != 1) goto req_asign_failed; /* Etablissement d'une identité */ @@ -523,8 +543,6 @@ bool build_keys_and_request(const char *dir, const char *label, const x509_entri ret = X509_REQ_add_extensions(x509, exts); if (ret != 1) goto exts_failed; - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - /* Signature */ ret = X509_REQ_sign(x509, pk, EVP_sha256()); @@ -538,7 +556,11 @@ bool build_keys_and_request(const char *dir, const char *label, const x509_entri asprintf(&filename, "%s%c%s-key.pem", dir, G_DIR_SEPARATOR, label); stream = fopen(filename, "wb"); - if (stream == NULL) goto req_failed_2; + if (stream == NULL) + { + free(filename); + goto req_failed_2; + } ret = PEM_write_PrivateKey(stream, pk, NULL, NULL, 0, NULL, NULL); @@ -555,7 +577,11 @@ bool build_keys_and_request(const char *dir, const char *label, const x509_entri asprintf(&filename, "%s%c%s-csr.pem", dir, G_DIR_SEPARATOR, label); stream = fopen(filename, "wb"); - if (stream == NULL) goto req_failed_2; + if (stream == NULL) + { + free(filename); + goto req_failed_2; + } ret = PEM_write_X509_REQ(stream, x509); @@ -569,35 +595,29 @@ bool build_keys_and_request(const char *dir, const char *label, const x509_entri if (ret != 1) goto req_failed_2; - return true; + result = true; - req_failed_2: + /* Libérations finales */ + req_failed_2: exts_failed: - sk_X509_EXTENSION_free(exts); + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); req_failed: + req_asign_failed: X509_REQ_free(x509); x509_failed: - - EVP_PKEY_free(pk); - - return false; - asign_failed: EVP_PKEY_free(pk); pk_failed: - - RSA_free(rsa); - rsa_failed: - return false; + return result; } |